Enterprise threat detection (ETD) typically collects and stores a large amount/large sets of real-time log data (often referred to as “big data”) associated with Information Technology (IT) security. The log data can be categorized into various heterogeneous Entities, such as computing systems, users, servers, proxies, clients, firewalls, Internet Protocol (IP) address, host name, Media Access Control (MAC) address, and events (or “Events”). An Entity associated with an Event can also act with a certain assigned role(s) (for example, administrator, developer, and general user). Accordingly, some Entities can be considered to be related with each other.
The log data can be analyzed computationally using forensic-type data analysis tools to identify suspicious behavior in revealed patterns, trends, interactions, and associations, especially those relating to ETD-type behavior. Appropriate responses can then be taken if malicious behavior is suspected or identified. Currently, ETD can either list all raw log-related data in a table-like list or show few Entities with their associated attributes (or properties). It is difficult or impossible to determine relationships among Entities as well as roles the Entities play in interesting events.